From e4aa445f67e146698a99b67c2a9140f6149c7222 Mon Sep 17 00:00:00 2001
From: badra001 <donald.e.badrak.ii@census.gov>
Date: Fri, 16 Jan 2026 12:14:19 -0500
Subject: [PATCH 1/8] start common-policies

---
 policies/sc-servicecatalog-t1/README.md       | 49 +++++++++++++++++++
 policies/sc-servicecatalog-t1/data.tf         |  1 +
 policies/sc-servicecatalog-t1/defaults.tf     |  1 +
 policies/sc-servicecatalog-t1/locals.tf       | 12 +++++
 policies/sc-servicecatalog-t1/main.tf         |  2 +
 policies/sc-servicecatalog-t1/module_name.tf  |  3 ++
 policies/sc-servicecatalog-t1/outputs.tf      | 24 +++++++++
 policies/sc-servicecatalog-t1/policy.tf       | 13 +++++
 policies/sc-servicecatalog-t1/prefixes.tf     |  1 +
 policies/sc-servicecatalog-t1/settings.tf     |  6 +++
 .../sc-servicecatalog-t1/variables.common.tf  |  1 +
 .../variables.settings.tf                     |  1 +
 policies/sc-servicecatalog-t1/variables.tf    | 29 +++++++++++
 policies/sc-servicecatalog-t1/version.tf      |  1 +
 policies/sc-servicecatalog-t1/versions.tf     |  1 +
 15 files changed, 145 insertions(+)
 create mode 100644 policies/sc-servicecatalog-t1/README.md
 create mode 120000 policies/sc-servicecatalog-t1/data.tf
 create mode 120000 policies/sc-servicecatalog-t1/defaults.tf
 create mode 100644 policies/sc-servicecatalog-t1/locals.tf
 create mode 100644 policies/sc-servicecatalog-t1/main.tf
 create mode 100644 policies/sc-servicecatalog-t1/module_name.tf
 create mode 100644 policies/sc-servicecatalog-t1/outputs.tf
 create mode 100644 policies/sc-servicecatalog-t1/policy.tf
 create mode 120000 policies/sc-servicecatalog-t1/prefixes.tf
 create mode 100644 policies/sc-servicecatalog-t1/settings.tf
 create mode 120000 policies/sc-servicecatalog-t1/variables.common.tf
 create mode 120000 policies/sc-servicecatalog-t1/variables.settings.tf
 create mode 100644 policies/sc-servicecatalog-t1/variables.tf
 create mode 120000 policies/sc-servicecatalog-t1/version.tf
 create mode 120000 policies/sc-servicecatalog-t1/versions.tf

diff --git a/policies/sc-servicecatalog-t1/README.md b/policies/sc-servicecatalog-t1/README.md
new file mode 100644
index 0000000..c8eed4b
--- /dev/null
+++ b/policies/sc-servicecatalog-t1/README.md
@@ -0,0 +1,49 @@
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.66.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.66.0 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_iam_policy_document.inline](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_account_alias"></a> [account\_alias](#input\_account\_alias) | AWS Account Alias | `string` | `""` | no |
+| <a name="input_account_id"></a> [account\_id](#input\_account\_id) | AWS Account ID (default will pull from current user) | `string` | `""` | no |
+| <a name="input_customer_managed_policy_names"></a> [customer\_managed\_policy\_names](#input\_customer\_managed\_policy\_names) | Map of policy name to permission boundary of Customer Managed Policy to attach to the permissionset | `map(string)` | `{}` | no |
+| <a name="input_inline_policy"></a> [inline\_policy](#input\_inline\_policy) | AWS Policy document for the single allowed inline policy | `string` | `null` | no |
+| <a name="input_managed_policy_names"></a> [managed\_policy\_names](#input\_managed\_policy\_names) | Names of AWS Managed Policy to attach to the permissionset | `list(string)` | `[]` | no |
+| <a name="input_name"></a> [name](#input\_name) | Permission Set Name for which all settings apply | `string` | `null` | no |
+| <a name="input_override_prefixes"></a> [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component. This should be used primarily for common infrastructure things | `map(string)` | `{}` | no |
+| <a name="input_relay_state"></a> [relay\_state](#input\_relay\_state) | Relay State to pass along to permissionset | `string` | `null` | no |
+| <a name="input_settings_file"></a> [settings\_file](#input\_settings\_file) | File name and path to YAML with users(list), account\_ids(list), org\_ous(list), and all(bool). See sample.yml in code. | `string` | `null` | no |
+| <a name="input_tags"></a> [tags](#input\_tags) | AWS Tags to apply to appropriate resources | `map(string)` | `{}` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_customer_managed_policy_names"></a> [customer\_managed\_policy\_names](#output\_customer\_managed\_policy\_names) | Map of policy name to permission boundary of Customer Managed Policy to attach to the permissionset |
+| <a name="output_inline_policy"></a> [inline\_policy](#output\_inline\_policy) | AWS Policy document for the single allowed inline policy (use .json to get policy) |
+| <a name="output_managed_policy_names"></a> [managed\_policy\_names](#output\_managed\_policy\_names) | Names of AWS Managed Policy to attach to the permissionset |
+| <a name="output_name"></a> [name](#output\_name) | Permission Set Name for which all settings apply |
+| <a name="output_relay_state"></a> [relay\_state](#output\_relay\_state) | Relay State to pass along to permissionset |
diff --git a/policies/sc-servicecatalog-t1/data.tf b/policies/sc-servicecatalog-t1/data.tf
new file mode 120000
index 0000000..37fff16
--- /dev/null
+++ b/policies/sc-servicecatalog-t1/data.tf
@@ -0,0 +1 @@
+../../common/data.tf
\ No newline at end of file
diff --git a/policies/sc-servicecatalog-t1/defaults.tf b/policies/sc-servicecatalog-t1/defaults.tf
new file mode 120000
index 0000000..1227df3
--- /dev/null
+++ b/policies/sc-servicecatalog-t1/defaults.tf
@@ -0,0 +1 @@
+../../common/defaults.tf
\ No newline at end of file
diff --git a/policies/sc-servicecatalog-t1/locals.tf b/policies/sc-servicecatalog-t1/locals.tf
new file mode 100644
index 0000000..5cba936
--- /dev/null
+++ b/policies/sc-servicecatalog-t1/locals.tf
@@ -0,0 +1,12 @@
+locals {
+  account_id          = var.account_id != "" ? var.account_id : data.aws_caller_identity.current.account_id
+  account_environment = data.aws_arn.current.partition == "aws-us-gov" ? "gov" : "ew"
+  region              = data.aws_region.current.name
+  region_short        = join("", [for c in split("-", local.region) : substr(c, 0, 1)])
+
+  base_tags = {
+    "boc:tf_module_version" = local._module_version
+    "boc:tf_module_name"    = local._module_name
+    "boc:created_by"        = "terraform"
+  }
+}
diff --git a/policies/sc-servicecatalog-t1/main.tf b/policies/sc-servicecatalog-t1/main.tf
new file mode 100644
index 0000000..3c91f4a
--- /dev/null
+++ b/policies/sc-servicecatalog-t1/main.tf
@@ -0,0 +1,2 @@
+/*
+*/
diff --git a/policies/sc-servicecatalog-t1/module_name.tf b/policies/sc-servicecatalog-t1/module_name.tf
new file mode 100644
index 0000000..4240482
--- /dev/null
+++ b/policies/sc-servicecatalog-t1/module_name.tf
@@ -0,0 +1,3 @@
+locals {
+  _module_name = "aws-sso/policies/sc-servicecatalog-t1"
+}
diff --git a/policies/sc-servicecatalog-t1/outputs.tf b/policies/sc-servicecatalog-t1/outputs.tf
new file mode 100644
index 0000000..ef99006
--- /dev/null
+++ b/policies/sc-servicecatalog-t1/outputs.tf
@@ -0,0 +1,24 @@
+output "name" {
+  description = "Permission Set Name for which all settings apply"
+  value       = var.name
+}
+
+output "managed_policy_names" {
+  description = "Names of AWS Managed Policy to attach to the permissionset"
+  value       = var.managed_policy_names
+}
+
+output "customer_managed_policy_names" {
+  description = "Map of policy name to permission boundary of Customer Managed Policy to attach to the permissionset"
+  value       = var.customer_managed_policy_names
+}
+
+output "inline_policy" {
+  description = "AWS Policy document for the single allowed inline policy (use .json to get policy)"
+  value       = var.inline_policy
+}
+
+output "relay_state" {
+  description = "Relay State to pass along to permissionset"
+  value       = var.relay_state
+}
diff --git a/policies/sc-servicecatalog-t1/policy.tf b/policies/sc-servicecatalog-t1/policy.tf
new file mode 100644
index 0000000..425ab7f
--- /dev/null
+++ b/policies/sc-servicecatalog-t1/policy.tf
@@ -0,0 +1,13 @@
+data "aws_iam_policy_document" "inline" {
+  statement {
+    sid    = "OnlyReadOperationsOnOrganizations"
+    effect = "Allow"
+    actions = [
+      "organizations:Describe*",
+      "organizations:List*",
+      "account:Get*",
+      "account:List*"
+    ]
+    resources = ["*"]
+  }
+}
diff --git a/policies/sc-servicecatalog-t1/prefixes.tf b/policies/sc-servicecatalog-t1/prefixes.tf
new file mode 120000
index 0000000..5bc256c
--- /dev/null
+++ b/policies/sc-servicecatalog-t1/prefixes.tf
@@ -0,0 +1 @@
+../../common/prefixes.tf
\ No newline at end of file
diff --git a/policies/sc-servicecatalog-t1/settings.tf b/policies/sc-servicecatalog-t1/settings.tf
new file mode 100644
index 0000000..14c7a78
--- /dev/null
+++ b/policies/sc-servicecatalog-t1/settings.tf
@@ -0,0 +1,6 @@
+locals {
+  settings          = var.settings_file != null ? (fileexists(var.settings_file) ? yamldecode(file(var.settings_file)) : null) : null
+  name              = coalesce(var.name, try(local.settings.group, null))
+  description       = coalesce(var.description, try(local.settings.description, null), local.name)
+  auto_policy_count = try(local.settings.auto_policy_count, var.auto_policy_count)
+}
diff --git a/policies/sc-servicecatalog-t1/variables.common.tf b/policies/sc-servicecatalog-t1/variables.common.tf
new file mode 120000
index 0000000..e01226c
--- /dev/null
+++ b/policies/sc-servicecatalog-t1/variables.common.tf
@@ -0,0 +1 @@
+../../common/variables.common.tf
\ No newline at end of file
diff --git a/policies/sc-servicecatalog-t1/variables.settings.tf b/policies/sc-servicecatalog-t1/variables.settings.tf
new file mode 120000
index 0000000..1326193
--- /dev/null
+++ b/policies/sc-servicecatalog-t1/variables.settings.tf
@@ -0,0 +1 @@
+../../common/variables.settings.tf
\ No newline at end of file
diff --git a/policies/sc-servicecatalog-t1/variables.tf b/policies/sc-servicecatalog-t1/variables.tf
new file mode 100644
index 0000000..c331403
--- /dev/null
+++ b/policies/sc-servicecatalog-t1/variables.tf
@@ -0,0 +1,29 @@
+variable "name" {
+  description = "Permission Set Name for which all settings apply"
+  type        = string
+  default     = null
+}
+
+variable "managed_policy_names" {
+  description = "Names of AWS Managed Policy to attach to the permissionset"
+  type        = list(string)
+  default     = []
+}
+
+variable "customer_managed_policy_names" {
+  description = "Map of policy name to permission boundary of Customer Managed Policy to attach to the permissionset"
+  type        = map(string)
+  default     = {}
+}
+
+variable "inline_policy" {
+  description = "AWS Policy document for the single allowed inline policy"
+  type        = string
+  default     = null
+}
+
+variable "relay_state" {
+  description = "Relay State to pass along to permissionset"
+  type        = string
+  default     = null
+}
diff --git a/policies/sc-servicecatalog-t1/version.tf b/policies/sc-servicecatalog-t1/version.tf
new file mode 120000
index 0000000..4950c91
--- /dev/null
+++ b/policies/sc-servicecatalog-t1/version.tf
@@ -0,0 +1 @@
+../../common/version.tf
\ No newline at end of file
diff --git a/policies/sc-servicecatalog-t1/versions.tf b/policies/sc-servicecatalog-t1/versions.tf
new file mode 120000
index 0000000..cbeda73
--- /dev/null
+++ b/policies/sc-servicecatalog-t1/versions.tf
@@ -0,0 +1 @@
+../../common/versions.tf
\ No newline at end of file

From 39b0d7451f7f3052a10cf61362d4bcd9b773107e Mon Sep 17 00:00:00 2001
From: badra001 <donald.e.badrak.ii@census.gov>
Date: Fri, 16 Jan 2026 12:23:42 -0500
Subject: [PATCH 2/8] remove settings.tf

---
 policies/sc-servicecatalog-t1/settings.tf | 6 ------
 1 file changed, 6 deletions(-)
 delete mode 100644 policies/sc-servicecatalog-t1/settings.tf

diff --git a/policies/sc-servicecatalog-t1/settings.tf b/policies/sc-servicecatalog-t1/settings.tf
deleted file mode 100644
index 14c7a78..0000000
--- a/policies/sc-servicecatalog-t1/settings.tf
+++ /dev/null
@@ -1,6 +0,0 @@
-locals {
-  settings          = var.settings_file != null ? (fileexists(var.settings_file) ? yamldecode(file(var.settings_file)) : null) : null
-  name              = coalesce(var.name, try(local.settings.group, null))
-  description       = coalesce(var.description, try(local.settings.description, null), local.name)
-  auto_policy_count = try(local.settings.auto_policy_count, var.auto_policy_count)
-}

From 03c28194292e825c2000c22f2600bca64caca035 Mon Sep 17 00:00:00 2001
From: badra001 <donald.e.badrak.ii@census.gov>
Date: Fri, 16 Jan 2026 12:25:51 -0500
Subject: [PATCH 3/8] update region

---
 policies/sc-servicecatalog-t1/locals.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policies/sc-servicecatalog-t1/locals.tf b/policies/sc-servicecatalog-t1/locals.tf
index 5cba936..6aa29cd 100644
--- a/policies/sc-servicecatalog-t1/locals.tf
+++ b/policies/sc-servicecatalog-t1/locals.tf
@@ -1,7 +1,7 @@
 locals {
   account_id          = var.account_id != "" ? var.account_id : data.aws_caller_identity.current.account_id
   account_environment = data.aws_arn.current.partition == "aws-us-gov" ? "gov" : "ew"
-  region              = data.aws_region.current.name
+  region              = data.aws_region.current.region
   region_short        = join("", [for c in split("-", local.region) : substr(c, 0, 1)])
 
   base_tags = {

From e8ce56088b60331a976dd429d306feadc86af5b4 Mon Sep 17 00:00:00 2001
From: badra001 <donald.e.badrak.ii@census.gov>
Date: Fri, 16 Jan 2026 12:28:54 -0500
Subject: [PATCH 4/8] fix inline_policy

---
 policies/sc-servicecatalog-t1/README.md             |  2 --
 policies/sc-servicecatalog-t1/outputs.tf            |  2 +-
 policies/sc-servicecatalog-t1/variables.settings.tf |  1 -
 policies/sc-servicecatalog-t1/variables.tf          | 10 +++++-----
 4 files changed, 6 insertions(+), 9 deletions(-)
 delete mode 120000 policies/sc-servicecatalog-t1/variables.settings.tf

diff --git a/policies/sc-servicecatalog-t1/README.md b/policies/sc-servicecatalog-t1/README.md
index c8eed4b..243ac06 100644
--- a/policies/sc-servicecatalog-t1/README.md
+++ b/policies/sc-servicecatalog-t1/README.md
@@ -30,12 +30,10 @@ No modules.
 | <a name="input_account_alias"></a> [account\_alias](#input\_account\_alias) | AWS Account Alias | `string` | `""` | no |
 | <a name="input_account_id"></a> [account\_id](#input\_account\_id) | AWS Account ID (default will pull from current user) | `string` | `""` | no |
 | <a name="input_customer_managed_policy_names"></a> [customer\_managed\_policy\_names](#input\_customer\_managed\_policy\_names) | Map of policy name to permission boundary of Customer Managed Policy to attach to the permissionset | `map(string)` | `{}` | no |
-| <a name="input_inline_policy"></a> [inline\_policy](#input\_inline\_policy) | AWS Policy document for the single allowed inline policy | `string` | `null` | no |
 | <a name="input_managed_policy_names"></a> [managed\_policy\_names](#input\_managed\_policy\_names) | Names of AWS Managed Policy to attach to the permissionset | `list(string)` | `[]` | no |
 | <a name="input_name"></a> [name](#input\_name) | Permission Set Name for which all settings apply | `string` | `null` | no |
 | <a name="input_override_prefixes"></a> [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component. This should be used primarily for common infrastructure things | `map(string)` | `{}` | no |
 | <a name="input_relay_state"></a> [relay\_state](#input\_relay\_state) | Relay State to pass along to permissionset | `string` | `null` | no |
-| <a name="input_settings_file"></a> [settings\_file](#input\_settings\_file) | File name and path to YAML with users(list), account\_ids(list), org\_ous(list), and all(bool). See sample.yml in code. | `string` | `null` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | AWS Tags to apply to appropriate resources | `map(string)` | `{}` | no |
 
 ## Outputs
diff --git a/policies/sc-servicecatalog-t1/outputs.tf b/policies/sc-servicecatalog-t1/outputs.tf
index ef99006..8467959 100644
--- a/policies/sc-servicecatalog-t1/outputs.tf
+++ b/policies/sc-servicecatalog-t1/outputs.tf
@@ -15,7 +15,7 @@ output "customer_managed_policy_names" {
 
 output "inline_policy" {
   description = "AWS Policy document for the single allowed inline policy (use .json to get policy)"
-  value       = var.inline_policy
+  value       = data.aws_iam_policy_document.inline
 }
 
 output "relay_state" {
diff --git a/policies/sc-servicecatalog-t1/variables.settings.tf b/policies/sc-servicecatalog-t1/variables.settings.tf
deleted file mode 120000
index 1326193..0000000
--- a/policies/sc-servicecatalog-t1/variables.settings.tf
+++ /dev/null
@@ -1 +0,0 @@
-../../common/variables.settings.tf
\ No newline at end of file
diff --git a/policies/sc-servicecatalog-t1/variables.tf b/policies/sc-servicecatalog-t1/variables.tf
index c331403..53d6bf1 100644
--- a/policies/sc-servicecatalog-t1/variables.tf
+++ b/policies/sc-servicecatalog-t1/variables.tf
@@ -16,11 +16,11 @@ variable "customer_managed_policy_names" {
   default     = {}
 }
 
-variable "inline_policy" {
-  description = "AWS Policy document for the single allowed inline policy"
-  type        = string
-  default     = null
-}
+# variable "inline_policy" {
+#   description = "AWS Policy document for the single allowed inline policy"
+#   type        = string
+#   default     = null
+# }
 
 variable "relay_state" {
   description = "Relay State to pass along to permissionset"

From e5eb83864d9260312f743e01e59100c953173f5b Mon Sep 17 00:00:00 2001
From: badra001 <donald.e.badrak.ii@census.gov>
Date: Fri, 16 Jan 2026 12:36:15 -0500
Subject: [PATCH 5/8] * 1.4.0 -- 2026-01-16   - change AWS provider to >= 6   -
 change region from name to region in locals   - require TF 1.12+   - policies
     - create new central policies to be used for permissionsets so they can
 be consistent across orgs   - created policies     -
 policies/sc-servicecatalog-t1

---
 CHANGELOG.md                 | 9 +++++++++
 common/version.tf            | 2 +-
 common/versions.tf           | 4 ++--
 group-assignment/accounts.tf | 8 ++++----
 group-assignment/locals.tf   | 2 +-
 group-assignment/outputs.tf  | 2 +-
 group-assignment/users.tf    | 2 +-
 permissionset/README.md      | 5 +++--
 permissionset/locals.tf      | 2 +-
 9 files changed, 23 insertions(+), 13 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 33db3e8..97ce29f 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -53,3 +53,12 @@
 * 1.3.2 -- 2025-02-14
   - group-assignment
     - make ldap_group happen after idc group
+
+* 1.4.0 -- 2026-01-16
+  - change AWS provider to >= 6
+  - change region from name to region in locals
+  - require TF 1.12+
+  - policies
+    - create new central policies to be used for permissionsets so they can be consistent across orgs
+  - created policies
+    - policies/sc-servicecatalog-t1
diff --git a/common/version.tf b/common/version.tf
index 5ec2ece..37ff20f 100644
--- a/common/version.tf
+++ b/common/version.tf
@@ -1,3 +1,3 @@
 locals {
-  _module_version = "1.3.2"
+  _module_version = "1.4.0"
 }
diff --git a/common/versions.tf b/common/versions.tf
index 34eb3b9..3b04f30 100644
--- a/common/versions.tf
+++ b/common/versions.tf
@@ -1,9 +1,9 @@
 terraform {
+  required_version = ">= 1.12"
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 3.66.0"
+      version = ">= 6.0"
     }
   }
-  #  required_version = ">= 0.13"
 }
diff --git a/group-assignment/accounts.tf b/group-assignment/accounts.tf
index 1f8b3e0..a0de8c1 100644
--- a/group-assignment/accounts.tf
+++ b/group-assignment/accounts.tf
@@ -9,14 +9,14 @@ locals {
   active_accounts_map = { for account in data.aws_organizations_organizational_unit_descendant_accounts.accounts.accounts : account.name => account if account.status == "ACTIVE" }
   active_accounts     = { for k, v in local.active_accounts_map : k => v.id }
 
-  _id_1 = ! local.org_all && length(local.org_account_names) > 0 ? [for k in local.org_account_names : lookup(local.active_accounts, k, null)] : []
-  _id_2 = ! local.org_all && length(local.org_account_ids) > 0 ? [for k in local.org_account_ids : k if contains(values(local.active_accounts), k)] : []
+  _id_1 = !local.org_all && length(local.org_account_names) > 0 ? [for k in local.org_account_names : lookup(local.active_accounts, k, null)] : []
+  _id_2 = !local.org_all && length(local.org_account_ids) > 0 ? [for k in local.org_account_ids : k if contains(values(local.active_accounts), k)] : []
 
   organizational_unit_hierarchy = length(var.organizational_unit_hierarchy) > 0 ? { for k, v in var.organizational_unit_hierarchy : k => v.self_id } : {}
 
   #  _ou_1 = ! local.org_all && length(local.organizational_unit_names) > 0 && length(var.organizational_unit_hierarchy) > 0 ? [for k, v in local.organizational_unit_names : lookup(local.organizational_unit_hierarchy, k, null)] : []
-  _ou_1 = ! local.org_all && length(local.organizational_unit_names) > 0 && length(var.organizational_unit_hierarchy) > 0 ? { for k, v in local.organizational_unit_hierarchy : k => v if contains(local.organizational_unit_names, k) } : {}
-  _ou_2 = ! local.org_all && length(var.organizational_unit_ids) > 0 && length(var.organizational_unit_hierarchy) > 0 ? { for k in var.organizational_unit_ids : k => k } : {}
+  _ou_1 = !local.org_all && length(local.organizational_unit_names) > 0 && length(var.organizational_unit_hierarchy) > 0 ? { for k, v in local.organizational_unit_hierarchy : k => v if contains(local.organizational_unit_names, k) } : {}
+  _ou_2 = !local.org_all && length(var.organizational_unit_ids) > 0 && length(var.organizational_unit_hierarchy) > 0 ? { for k in var.organizational_unit_ids : k => k } : {}
 
   #  organizational_units = distinct(compact(concat(local._ou_1, local._ou_2)))
   organizational_units = merge(local._ou_1, local._ou_2)
diff --git a/group-assignment/locals.tf b/group-assignment/locals.tf
index 5cba936..6aa29cd 100644
--- a/group-assignment/locals.tf
+++ b/group-assignment/locals.tf
@@ -1,7 +1,7 @@
 locals {
   account_id          = var.account_id != "" ? var.account_id : data.aws_caller_identity.current.account_id
   account_environment = data.aws_arn.current.partition == "aws-us-gov" ? "gov" : "ew"
-  region              = data.aws_region.current.name
+  region              = data.aws_region.current.region
   region_short        = join("", [for c in split("-", local.region) : substr(c, 0, 1)])
 
   base_tags = {
diff --git a/group-assignment/outputs.tf b/group-assignment/outputs.tf
index 3cb0848..e0cb291 100644
--- a/group-assignment/outputs.tf
+++ b/group-assignment/outputs.tf
@@ -20,6 +20,6 @@ output "users" {
   value = {
     users              = local.users
     valid_ldap_users   = { for k, v in local.ldap_user_attributes : k => v.mail if can(v.mail) }
-    invalid_ldap_users = [for k, v in local.ldap_user_attributes : k if ! can(v.mail)]
+    invalid_ldap_users = [for k, v in local.ldap_user_attributes : k if !can(v.mail)]
   }
 }
diff --git a/group-assignment/users.tf b/group-assignment/users.tf
index cea9c08..2ce676a 100644
--- a/group-assignment/users.tf
+++ b/group-assignment/users.tf
@@ -32,7 +32,7 @@ data "aws_identitystore_user" "users" {
 
 locals {
   ldap_groups_base_dn = "o=U.S. Census Bureau,c=US"
-  ldap_groups_members = distinct(flatten([for k, v in data.ldap_object.ldap_groups : [for m in jsondecode(lookup(v.attributes_json, "memberUid", "")) : m if ! startswith(m, "p-") && (m != "[DynamicDN]")]]))
+  ldap_groups_members = distinct(flatten([for k, v in data.ldap_object.ldap_groups : [for m in jsondecode(lookup(v.attributes_json, "memberUid", "")) : m if !startswith(m, "p-") && (m != "[DynamicDN]")]]))
 }
 
 data "ldap_object" "ldap_groups" {
diff --git a/permissionset/README.md b/permissionset/README.md
index a119f96..ac843a7 100644
--- a/permissionset/README.md
+++ b/permissionset/README.md
@@ -2,13 +2,14 @@
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.66.0 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.12 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.66.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.0 |
 
 ## Modules
 
diff --git a/permissionset/locals.tf b/permissionset/locals.tf
index 5cba936..6aa29cd 100644
--- a/permissionset/locals.tf
+++ b/permissionset/locals.tf
@@ -1,7 +1,7 @@
 locals {
   account_id          = var.account_id != "" ? var.account_id : data.aws_caller_identity.current.account_id
   account_environment = data.aws_arn.current.partition == "aws-us-gov" ? "gov" : "ew"
-  region              = data.aws_region.current.name
+  region              = data.aws_region.current.region
   region_short        = join("", [for c in split("-", local.region) : substr(c, 0, 1)])
 
   base_tags = {

From 1941ae66e040ec09d623ee048cee3eb82af5109c Mon Sep 17 00:00:00 2001
From: badra001 <donald.e.badrak.ii@census.gov>
Date: Fri, 16 Jan 2026 12:53:29 -0500
Subject: [PATCH 6/8] fix

---
 policies/sc-servicecatalog-t1/README.md                |  9 +++------
 policies/sc-servicecatalog-t1/outputs.tf               | 10 +++++-----
 policies/sc-servicecatalog-t1/settings.tf              | 10 ++++++++++
 .../{variables.tf => variables.tf.unused}              |  0
 4 files changed, 18 insertions(+), 11 deletions(-)
 create mode 100644 policies/sc-servicecatalog-t1/settings.tf
 rename policies/sc-servicecatalog-t1/{variables.tf => variables.tf.unused} (100%)

diff --git a/policies/sc-servicecatalog-t1/README.md b/policies/sc-servicecatalog-t1/README.md
index 243ac06..33cb3c2 100644
--- a/policies/sc-servicecatalog-t1/README.md
+++ b/policies/sc-servicecatalog-t1/README.md
@@ -2,13 +2,14 @@
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.66.0 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.12 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.66.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.0 |
 
 ## Modules
 
@@ -29,11 +30,7 @@ No modules.
 |------|-------------|------|---------|:--------:|
 | <a name="input_account_alias"></a> [account\_alias](#input\_account\_alias) | AWS Account Alias | `string` | `""` | no |
 | <a name="input_account_id"></a> [account\_id](#input\_account\_id) | AWS Account ID (default will pull from current user) | `string` | `""` | no |
-| <a name="input_customer_managed_policy_names"></a> [customer\_managed\_policy\_names](#input\_customer\_managed\_policy\_names) | Map of policy name to permission boundary of Customer Managed Policy to attach to the permissionset | `map(string)` | `{}` | no |
-| <a name="input_managed_policy_names"></a> [managed\_policy\_names](#input\_managed\_policy\_names) | Names of AWS Managed Policy to attach to the permissionset | `list(string)` | `[]` | no |
-| <a name="input_name"></a> [name](#input\_name) | Permission Set Name for which all settings apply | `string` | `null` | no |
 | <a name="input_override_prefixes"></a> [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component. This should be used primarily for common infrastructure things | `map(string)` | `{}` | no |
-| <a name="input_relay_state"></a> [relay\_state](#input\_relay\_state) | Relay State to pass along to permissionset | `string` | `null` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | AWS Tags to apply to appropriate resources | `map(string)` | `{}` | no |
 
 ## Outputs
diff --git a/policies/sc-servicecatalog-t1/outputs.tf b/policies/sc-servicecatalog-t1/outputs.tf
index 8467959..b1158eb 100644
--- a/policies/sc-servicecatalog-t1/outputs.tf
+++ b/policies/sc-servicecatalog-t1/outputs.tf
@@ -1,24 +1,24 @@
 output "name" {
   description = "Permission Set Name for which all settings apply"
-  value       = var.name
+  value       = local.name
 }
 
 output "managed_policy_names" {
   description = "Names of AWS Managed Policy to attach to the permissionset"
-  value       = var.managed_policy_names
+  value       = local.managed_policy_names
 }
 
 output "customer_managed_policy_names" {
   description = "Map of policy name to permission boundary of Customer Managed Policy to attach to the permissionset"
-  value       = var.customer_managed_policy_names
+  value       = local.customer_managed_policy_names
 }
 
 output "inline_policy" {
   description = "AWS Policy document for the single allowed inline policy (use .json to get policy)"
-  value       = data.aws_iam_policy_document.inline
+  value       = local.inline
 }
 
 output "relay_state" {
   description = "Relay State to pass along to permissionset"
-  value       = var.relay_state
+  value       = local.relay_state
 }
diff --git a/policies/sc-servicecatalog-t1/settings.tf b/policies/sc-servicecatalog-t1/settings.tf
new file mode 100644
index 0000000..01cd7e0
--- /dev/null
+++ b/policies/sc-servicecatalog-t1/settings.tf
@@ -0,0 +1,10 @@
+locals {
+  name = "servicecatalog-t1"
+  managed_policy_names = [
+    "ReadOnlyAccess",
+    "AWSServiceCatalogEndUserFullAccess"
+  ]
+  customer_managed_policy_names = {}
+  relay_state                   = "https://console.amazonaws-us-gov.com/servicecatalog/home"
+  inline_policy                 = data.aws_iam_policy_document.inline
+}
diff --git a/policies/sc-servicecatalog-t1/variables.tf b/policies/sc-servicecatalog-t1/variables.tf.unused
similarity index 100%
rename from policies/sc-servicecatalog-t1/variables.tf
rename to policies/sc-servicecatalog-t1/variables.tf.unused

From d3ffde29b837756815af744b23cb808570654aa3 Mon Sep 17 00:00:00 2001
From: badra001 <donald.e.badrak.ii@census.gov>
Date: Fri, 16 Jan 2026 12:54:52 -0500
Subject: [PATCH 7/8] fix

---
 policies/sc-servicecatalog-t1/outputs.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policies/sc-servicecatalog-t1/outputs.tf b/policies/sc-servicecatalog-t1/outputs.tf
index b1158eb..776869b 100644
--- a/policies/sc-servicecatalog-t1/outputs.tf
+++ b/policies/sc-servicecatalog-t1/outputs.tf
@@ -15,7 +15,7 @@ output "customer_managed_policy_names" {
 
 output "inline_policy" {
   description = "AWS Policy document for the single allowed inline policy (use .json to get policy)"
-  value       = local.inline
+  value       = local.inline_policy
 }
 
 output "relay_state" {

From 9170c74025dc21649d37a239c7ae67eefeea7d5e Mon Sep 17 00:00:00 2001
From: badra001 <donald.e.badrak.ii@census.gov>
Date: Fri, 16 Jan 2026 13:02:33 -0500
Subject: [PATCH 8/8] select relay state by partition

---
 policies/sc-servicecatalog-t1/settings.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policies/sc-servicecatalog-t1/settings.tf b/policies/sc-servicecatalog-t1/settings.tf
index 01cd7e0..5b3585f 100644
--- a/policies/sc-servicecatalog-t1/settings.tf
+++ b/policies/sc-servicecatalog-t1/settings.tf
@@ -5,6 +5,6 @@ locals {
     "AWSServiceCatalogEndUserFullAccess"
   ]
   customer_managed_policy_names = {}
-  relay_state                   = "https://console.amazonaws-us-gov.com/servicecatalog/home"
+  relay_state                   = data.aws_arn.current.partition == "aws-us-gov" ? "https://console.amazonaws-us-gov.com/servicecatalog/home" : "https://console.aws.amazon.com/servicecatalog/home"
   inline_policy                 = data.aws_iam_policy_document.inline
 }